Virus Bulletin, January 1993

January 1993 ISSN 0956-9979

THE AUTHORITATIVE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL

Editor: Richard Ford Technical Editor: Fridrik Skulason Consulting Editor: Edward Wilding

Advisory Board: Jim Bates, Bates Associates, UK, Andrew Busey, Datawatch Corporation, USA, David M. Chess, IBM Research, Phil Crewe, Fingerprint, UK, David Ferbrache, Defence Research Agency, UK, Ray Glath, RG Software Inc., USA, Hans Gliss, Datenschutz Berater, West Germany, Ross M. Greenberg, Software Concepts Design, USA, Dr. Harold Joseph Highland, Compulit Microcomputer Security Evaluation Laboratory, USA, Dr. Jan Hruska, Sophos, UK, Dr. Keith Jackson, Walsham Contracts, UK, Owen Keane, Barrister, UK, John Laws, Defence Research Agency, UK, Tony Pitts, Digital Equipment Corporation, UK, Yisrael Radai, Hebrew University of Jerusalem, Israel, Martin Samociuk, Network Security Management, UK, John Sherwood, Sherwood Associates, UK, Prof. Eugene Spafford, Purdue University, USA, Dr. Peter Tippett, Certus Corporation, USA, Steve R. White, IBM Research, Dr. Ken Wong, PA Consulting Group, UK, Ken van Wyk, CERT, USA.

CONTENTS SCANNER UPDATE 1993 Scanner Shoot-Out 8 EDITORIAL Imageline v. McAfee 2 VIRUS ANALYSES

NEWS 1. The CMOS1 Virus 13 2. DOSHUNTER - Search S&S Caught Out 3 And Destroy 15 Chinese Whispers 3 3. Penza - Variations on a Familiar Theme 16 A Rose By Any Other Name 3

PRODUCT REVIEWS IBM PC VIRUSES (UPDATE) 4 1. IBM AntiVirus 18 INSIGHT 2. PC Tools 8 21

Scotland Yard’s Virus Hunters 6 END NOTES & NEWS 24

VIRUS BULLETIN ©1993 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139. /90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers. Page 2 VIRUS BULLETIN January 1993

and damage to Imageline’s business reputation as a result of EDITORIAL the false indications that Imageline’s products are infected with viruses.’

Imageline v. McAfee Bill McKiernan, President of McAfee Associates, refused to comment on the case and simply stated that the suit is The detection of a virus in an uninfected file is an all-too ‘totally without merit’ and that McAfee Associates ‘will frequent occurrence with virus scanners. This is not always vigorously defend itself.’ the manufacturer’s fault, but the knotty problem of whether the anti-virus software vendor is in any way liable for any The implications of this case are far-reaching. Arguably, subsequent inconvenience has, until now, to be explored. false positives are becoming the overriding concern for both This important question is about to be addressed in the the anti-virus industry and the users. It is commercially United States, as McAfee Associates is being sued for damaging for a virus scanner to produce false positives - $750,000 as a result of a false positive dispute. even more so than its missing a handful of viruses.

The central issue in the case is not directly about a scanner It is equally damaging to software which is erroneously detecting a false positive, but addresses the issue of what identified as infected, as this can result in loss of confidence action the manufacturer is required to take when such a in the package. The question of how to act when such a situation occurs. situation occurs now needs to be addressed.

The problem arose at the start of last year, when McAfee Every virus scanner is prone to false positives - it is Associates Pro-Scan version 2.33 detected the 7808 virus in something which occurs to all scanner manufacturers from an executable sent out with some clip-art. Imageline, the time to time. Clearly a situation in which litigation can producers of the clip-art, contacted McAfee, which updated result from any false positive identification is ridiculous. In its software, thus removing the false positive problem. At these circumstances, scanner manufacturers would have no this point the dispute should have ended. choice but to shut up shop and return home.

However, Imageline continued to receive complaints about If this case shows that a vendor has no responsibility for its software being infected with a virus, although McAfee false positives produced by its product, a worrying prec- Associates assured Imageline that ‘As far as McAfee can edent is set: if a company is sufficiently small, and its determine, it has distributed fewer than forty copies of Pro- software is of limited circulation, an anti-virus vendor could Scan version 2.33.’ By this time, Imageline’s product had simply ignore its plea for help. Put bluntly, if the problem is acquired a somewhat tarnished image, and so they implored small enough, there is no financial incentive for the anti- McAfee Associates to inform all customers of the problem. virus manufacturer to set the record straight.

Imageline finally sought a court injunction which required The results of this action may well affect those distributing McAfee Associates to stop distribution of that version of shareware anti-virus software more than other vendors. It is Pro-Scan and any third party products which used that far easier to inform users of a potential problem if they have version under licence. The injunction also ordered McAfee purchased software directly than to trace users of an to inform all buyers of the product about the problem. electronically distributed product, which could have been downloaded from one of any number of bulletin boards. According to documents obtained by Virus Bulletin, Imageline is now suing for ‘compensatory damages in the If it is shown that the onus is on the scanner manufacturer to amount of $250,000 and punitive damages in the amount of deal with false positives, the problem of deliberately $500,000’. In the complaint, brought in Civil Action including scan strings within code raises its ugly head. It Number 3:92CV710, Imageline claims that ‘The mere would then be possible to target a scanner, and force its accusation that computer software contains a virus threatens vendors to alter search patterns. The even more complicated immediate destruction of the software’s viability in the issue of scanners detecting virus patterns in other scanners market. In the case of a start up company such as could become a legal minefield. In such a world, only the Imageline, such accusations create a substantial risk that the brave or the foolish would produce a scanner. company could be forced out of business.’ Whichever way the case is decided there are stormy seas Furthermore, the action alleges that ‘As a direct, proximate ahead for both the software industry and, more specifically, and foreseeable result of the foregoing misrepresentation by the anti-virus industry. McAfee Associates is certainly not McAfee, Imageline has been damaged. Such damages the only scanner manufacturer who will be waiting for the include, but are not limited to, the loss of sales opportunities results of the trial with bated breath.

The story originated at a press conference held by Titia NEWS Electroniks. This company acts as an agent for Computer Security Engineers Ltd, developer of the PCVP anti-virus S&S Caught Out package. De Telegraaf sent a financial editor, Klaus Steenhuis to the meeting. It was during this press conference that Steenhuis and assembled journalists were told, as Dr Solomon’s Anti-Virus Toolkit has failed to detect a virus an aside, how the Nines Complement virus had been found on some five hundred evaluation copies of a printer driver in a single pharmacy. From this small beginning grew De from Limerick-based software manufacturer DCA. The Telegraaf’s front page news story. infected disks were sent to journalists throughout Western Europe and the Middle East. The first report received by Virus Bulletin spoke of ‘NineComp virus being endemic in pharmacies in the A copy of the virus was subsequently sent to S&S Interna- Hague, with hundreds of machines affected.’ The number of tional which identified it as a NoInt variant. Ironically, this machines that were actually infected in the original incident new variant was detected by many other virus scanners on was, in fact, just two. the market. It appears that the search string used by the Toolkit had been targeted and altered in the variant. It is worthwhile looking to see who are the winners and losers in this story. The obvious loser is the Dutch public, This incident again illustrates the danger of relying on one which has lost still more faith in the computer and has had single package for virus detection - two or more unrelated its technophobia reinforced. The winner was De Telegraaf, scanners should always be used for critical machines. It also which gained a suitably lurid headline. emphasises the shortcomings of using virus-specific detection. A sound anti-virus strategy should therefore But what about the anti-virus industry? On the one hand, always encompass integrity checking. the report raised the public perception of the danger of computer viruses. On the other, such recurring sensational- Placing a sticker on a disk which reads ‘certified virus-free ism has further tarnished the industry’s already less than by Acme Software’ is no guarantee of that disk’s integrity. shining reputation. A more meaningful claim would simply state ‘Scanned for viruses known to Acme Software.’ Exaggeration, misinterpretation and ‘Chinese whispering’ may well prove the downfall of a number of industry Before other vendors crow too much over S&S’s misfor- ‘names’ and organisations. In December, anti-virus su- tune, they should be reminded that such a mishap could premo John McAfee was investigated in the Wall Street have happened to any of them. Whose turn will it be next? Journal while in Germany, Der Spiegel recently printed a blistering attack on well-known virus aficionados including Chinese Whispers Professor Klaus Brunnstein, EICAR and the NCSA.

De Telegraaf, the largest circulation paper in The Nether- True or false, such media antipathy damages the reputation lands, recently ran the headline: ‘Virus error in prescription of all those involved in the anti-virus field and undermines almost fatal. Infected PC dangerous to human lives’. public confidence. The story described how a patient had nearly been given a lethal dose of morphine due to a computer virus which had A Rose By Any Other Name infected pharmacy PCs used for drug dispensing. The virus Until recently, Virus Bulletin provided the only recognised known as Nines Complement is of interest because it standard naming convention in the industry. However, at transposes all printed digits between 0 and 9, such that a 1 the EICAR ’92 conference held in Munich, CARO was becomes an 8, a 2 changes to a 7 and so on. strongly pushing its own standard naming convention for many of the viruses known to date. Although CARO names Such a dramatic story contains all the necessary ingredients and Virus Bulletin names are reasonably compatible, there to make front page news. Predictably, the original report is still some disagreement between the two systems. rapidly became embellished beyond all recognition. On the early morning television there were reviews of the day’s Greater standardisation of virus names will be of benefit to newspapers, and by mid-morning many people falsely users worldwide. A great deal of confusion is caused by the believed that it was unsafe to take any prescribed medicine. current situation, where the same virus may have two or The reports snowballed, and eventually messages on local more different names. CARO intends to extend its work, radio stations were needed to reassure an understandably and discussions are in progress about a proposed database perplexed population. of virus information, CARObase.

IBM PC VIRUSES (UPDATE)

Updates and amendments to the Virus Bulletin Table of Known IBM PC Viruses as of 24th December 1992. Each entry consists of the virus’ name, its aliases (if any) and the virus type. This is followed by a short description (if available) and a 24-byte hexadecimal search pattern to detect the presence of the virus with a disk utility or preferably a dedicated scanner which contains a user-updatable pattern library.

Type Codes C = Infects COM files E = Infects EXE files D = Infects DOS Boot Sector (logical sector 0 on disk) M = Infects Master Boot Sector (Track 0, Head 0, Sector 1) N = Not memory-resident R = Memory-resident after infection P = Companion virus L = Link virus

Known Viruses

_288, Dismember - CN: A simple, encrypted virus, 288 bytes long. _288 5D8D 5E0E B90F 01B0 ??30 0743 E2FB _354 - CN: A 354 byte virus. Awaiting analysis, but might have been written by the author of the Loki virus. _354 8B5D 09CD 21B4 3ECD 21B8 0143 32ED 8A4D 0BCD 21C3 1E07 FFE5 _377 - CN: A 377 byte virus. Awaiting analysis. _377 FFE3 5225 00F0 3D00 F074 5F83 C31E 8BD3 B43D B002 CD21 8BD8 _547 - CR: A 547 byte virus. Awaiting analysis. _547 9C3D 004B 7403 E95C 012E 8C16 2F02 2E89 2631 028C C88E D0B8 _889 - CER: A 889 byte virus. Awaiting analysis. _889 3D00 4B74 03E9 2D01 FC2E C606 FD00 00B9 0001 1E07 B02E 8BFA ARCV - EN: Several new viruses have appeared from ARCV recently, some of which are simple PS-MPC variant but others appear to be written from scratch. According to the ‘president’ of ARCV, the group has created over 40 new viruses, which can be divided into several groups. Joshua (965 bytes) and ARCV-7 (541 bytes) are related variants that do nothing particularly interesting. ARCV-7 will damage many of the files it attempts to infect. ARCV-Joshua BB?? ??B9 DA01 2E81 37?? ??83 C302 4975 F5 ARCV-7 BAFA FEBD ???? 2E81 7600 ???? 4545 4275 F5 AT-140 - CR: A 140 byte virus which does nothing but replicate. Like all other members of the AT family, it will only work on a 286 and above. AT-140 8BE8 B18C 2BC1 3B44 0174 16B4 40CD F7B8 0042 33C9 CDF7 B440 Bit Addict - CR: A 477 byte virus. Awaiting analysis. Bit addict 80FC 4B74 052E FF2E 1F00 2E80 3E23 0064 7226 B802 0033 DBB9 Cinderella-B - CR: A 390 byte mutation of the Cinderella virus. Detected with the Cinderella pattern. Cinderella II - CR: This virus has been reported in the wild in Finland. It does not seem to be related to the Cinderella virus, but might have been written by the same author. Cinderella II 80FC 4B74 0880 FC3D 7403 E924 0253 5106 5657 1E52 5055 8BEC Cpw - CER: A 1459 byte virus, probably from Chile. Not fully analysed. Cpw 80FC 4B74 2F3D 003D 742A 80FC 4374 25EB 1590 B42A CD21 81FA Deicide II-Brotherhood - CN: Probably written by the same author as the other Deicide II viruses, and just as badly written as they are. This variant is 693 bytes long, and contains text messages indicating that it searches for some of the viruses it is related to. Brotherhood B440 BA00 01B9 9902 CD21 B457 B001 5A59 CD21 B43E CD21 8B1E

Girafe - CER: This ia a polymorphic, variable-length virus, which cannot be detected with a hex pattern. It includes the strings ‘Amsterdam = COFFEESHOP!’ ‘[ MK / Trident ]’. This seems to indicate that the virus is written by the same author as the MtE- Coffeshop virus, although it is encrypted in a different way. The virus activates on Thursdays, displaying a cannabis leaf, and the text ‘legalize cannabis’. The most interesting feature of this virus is that instead of using MtE, it uses another polymorpic ‘engine’, which has been called TPE. IPER - CR: A 1062 byte virus. Awaiting analysis. IPER 5B80 3FE9 7403 E9BF 008B 4701 E83E FF81 C3C0 0089 07B8 0057 Kalah-499 - CR: Related to the Kalah virus, but somewhat longer. Detected with the Kalah pattern. Kthulhu - CN: This 512 byte virus activates on May 20th, displaying the message ‘Today is my birthday’. Kthulhu 817D 1A48 EE77 E781 7D1A 5802 72E0 8BD7 83C2 1EB8 0043 CD21 Little Brother-361 - P: Yet another member of this family. Little Br-361 9C06 1E50 5352 3D00 4B75 03E8 0B00 5A5B 581F 079D 2EFF 2E69 Loki - CER: A 1237 byte virus. Awaiting analysis. This virus will damage some files it infects. Loki 33F6 33FF B900 01F3 A45E 560E 1FB9 0B05 F3A4 5FC3 0633 C08E Malaise - CER: A 1355 byte virus. Awaiting analysis. Malaise 9C3D 004B 7410 3D12 EF75 05B8 3412 9DCF 9D2E FF2E B601 2E8C Mr. Virus - CN: A 508 byte virus which does not appear to do anything particularly interesting. Mr. Virus B440 8B5C 41B9 3E02 BA00 012B CA8B D62B D14A 8B4C 47CD 21B8 Ncu Li - ER: A 1688 byte virus. Awaiting analysis. Ncu Li A5A5 5F5E 071F 58C3 2EC6 0619 0100 509C 580D 0001 509D 58C3 PS-MPC - CN, EN, CEN: Several new PS-MPC-generated viruses have appeared recently. Any program able to detect the PS-MPC encryption method will detect them. However, as none of them are particularly interesting or have appeared in the wild, they will not be listed here. Shadow - CEN: A 1200 byte virus. Awaiting analysis. Shadow 5E83 EE0C 90BB 2F00 902E 8B54 2D90 2E8B 0033 C22E 8900 83C3 Storm, Tatou - CR: A 1153 byte virus. Awaiting analysis. Storm FA9C 3D00 4B74 143D FE4B 9075 07BD 3412 909D FBCF FB9D 2EFF Timemark-1076 - ER: A new variant of this virus. Similar to those reported earlier, but with several minor changes - perhaps in order to avoid some virus scanners. Timemark-1076 B8EE 4BCD 2172 03EB 6F90 0706 8CC3 4B8E DB8B 1E03 0083 EB44 Trivial 84 - CN: This virus overwirites the beginning of infected files, and makes no attempt to preserve their functionality, so it is extremely unlikely to spread. It can be disinfected, however, as it stores the overwritten code at the end of the file. Trivial 84 2172 42BA 9E00 B802 3DCD 218B D8B4 3FB1 54B2 A051 CD21 722D VCL-822 - CN: This variant calls itself ‘Yankee Doodle 2’, but that name should not be used. It is 822 bytes long, and detected in the same way as other VCL-generated viruses. Vienna-598, -547 - CN: Two unremarkable Vienna variants detected with the W13 pattern. Vienna-1054 - CN: A 1054 byte, encrypted variant. Vienna-1054 81C7 F5FD B954 0390 8BF2 81C6 4901 33DB 8A3C 8A05 32C7 8805 Wilbur - CN: This 512 byte virus contains the texts ‘Wilbur sez Hi!’ and ‘Origin: Berlin, Maryland 7Apr92’. It does not seem to do anything noteworthy. Wilbur 7269 8BF5 81C6 C001 8BFE B920 008B 9EB8 01FC AD33 C3AB E2FA Wizard - CR: A 268 byte virus. Awaiting analysis. Wizard 80FC 4B74 052E FF2E F602 9C50 5351 5256 1E06 B801 43B9 2000 X-1 - EN: A 562 byte virus. Awaiting analysis. X-1 0E1F 8C06 6C03 8C16 6E03 8926 7003 8CC8 0510 0033 DB4B 8BE3 Yankee-2885 - CER: This virus is derived from one of the TP variants (possibly TP 44), but has been changed considerably. Yankee-2885 0376 2080 FC03 5053 5152 5657 1E06 9031 C050 0726 C536 4C00

INSIGHT

Scotland Yard’s Virus Hunters

New Scotland Yard’s Computer Crimes Unit (CCU) is not set in the somewhat glamorous surroundings of New Scotland Yard, but in a scaffolding-clad building immediately behind Holborn Police Station. It is from here that the CCU operates, monitoring all aspects of computer crime for the Metropolitan Police.

The aims of the CCU are set out in their seven point charter, reproduced below:

➤ The investigation of computer crime. New Scotland Yard’s Computer Crime Unit is located directly ➤ To raise the level of awareness of the Police service as behind Holborn Police Station in the legal heartland of London. to the use of computers in crime. ➤ To train and advise officers how to investigate computer crimes. One of the many hurdles the unit has to overcome is the ➤ To raise the level of awareness within the information reluctance of users to report computer crime. The CCU technology community as to how the Police service can receives an average of three reports of virus outbreaks a assist them with computer crime related problems. week - a small fraction of the actual incidents which occur. ➤ To act as a liaison point for gathering of computer- Without receiving formal complaints from the public, related evidence. however, the unit is powerless to act. ➤ To provide a national collation point for liaison with Many people still seem to treat computers as if they are telecommunication carriers. somehow different from normal law. If a person forcibly ➤ To provide a liaison point for reports of computer virus entered a house without permission there would be no problems. question as to whether or not the police should be informed, even if there was no damage done and no property stolen. The unit consists of five officers who face a mammoth task: When the same thing happens to a computer however, the policing all incidents which fall into the category of crimes victim frequently perceives the crime as far less serious. ‘where a computer is the object of the offence.’ This brief therefore neatly covers incidents involving hacking and Another part of the job is increasing the awareness of computer viruses. computers within the Metropolitan Police. ‘After all,’ points out DC Chris Pierce, ‘computers are a tremendous aid to Trophies From The Hunt investigation.’ Explaining to other units how to take advantage of this and the ways computers can be used as a Detective Constable Noel Bonczoszek has been with the tool to investigate crime, is a highly valued part of the job. unit for some years and has been integral to the unit’s fight against computer crime. Simply walking around their office The CCU plays the role of a translator, providing specialist gives a feel for the unit’s history. Pinned to the noticeboard support to those who need it. ‘One of our jobs is to act as an is a signed extradition order for Popp, the man behind the intermediary between the experts, the lawyers, and the AIDS diskette case. Below it sits a framed ten pound note victim. We have a very good overview of the situation, and bearing the legend ‘Presented to Noel Bonczoszek from know whom to contact for each specific problem we Chris Pierce’ - the result of a bet over whether anyone encounter. It’s almost like being a system analyst of would ever be brought to court for that case. The whole computer crime!’ adds Pierce. office is filled with mementoes like these - trophies from many years of hard work. Each of the officers has their own area of specialist knowledge, but none would claim to be a ‘computer wizard’. This Seated looking out over London, with a steaming cup of is no drawback - a solid understanding backed up by strong coffee (part of the staple diet of the unit) Bonczoszek acknowledged experts has helped make the unit a world begins to explain some of the CCU’s history and problems. leader in tackling computer crimes.

When asked if it was difficult to prove guilt to a jury of Back To The Future... laymen in a complex technical case, Pierce replied ‘No, not What of the future? As virus code becomes more freely really. A jury is very good at distinguishing right from available it is an open question whether the law as it stands wrong. Our job is therefore simply to find an expert who is really protects the user. The Computer Misuse Act is largely capable of explaining these complex issues in court.’ untested, and only time will tell if charges placed now under the act will stand up in court. Pierce is confident that Unlawful Entry justice will be done - if the law proves to be weak, then new Viruses are not by any means the unit’s main concern. legislation will have to be put in place. Many of the cases have involved disgruntled employees Pierce does not think there is a problem: ‘Think of the who attempt to take advantage of their privileged positions. Computer Misuse Act as the first Road Traffic Act - it had to ‘In the days when everything was carried out on paper, five be developed to protect the people as things changed. If the or six employees would need to work together to cover their Computer Misuse Act needs to be developed, it will be.’ tracks - now on a computer, one person can alter all the relevant information.’ explains Bonczoszek. The relatively untested nature of the law is about to change. Last month an advert was run in a UK computer magazine, Another typical scenario is the system which is operated by Micro Mart, offering for sale ‘over 350 viruses, including a single ‘wizard’. To such an operator the system frequently boot sector, mutating viruses etc.’ The advert went on to acquires a life and character of its own, and he can become explain that these viruses should only be used for test extremely possessive. ‘Often we see an attitude of ‘‘if I purposes, and should not run under any circumstances. can’t have it, you won’t either’’ ’, adds Bonczoszek. Whenever a system is dependent on a single man, there is a On 10th December 1992, officers from the CCU working in built-in risk - nobody else can fully understand how things conjunction with officers from the Warwickshire constabu- are structured. Bonczoszek strongly advises against relying lary raided a house in connection with this advert. One man on any one person: ‘Somebody else apart from the system has been arrested for offences under Section 3 of the manager should be responsible for system security - don’t Computer Misuse Act. put all your eggs in one basket.’ Clearly Bonczoszek is reluctant to comment for fear of Most computer crime still goes on at a relatively simple prejudicing the case. However, he did say that evidence had level. ‘At the moment computer hackers are using quite been seized and that the case would be referred to the simple methods of hacking a system as many basic loop- Crown Prosecution Service. Virus Bulletin will cover the holes have not been closed.’ Pierce commented. ‘The next case in detail as soon as it comes to trial. wave of hackers will be much harder to deal with.’ When many systems still have their factory preset passwords Success in these test cases is important - if this case proves installed, it is small wonder that hackers have not resorted that it is legal to trade malicious code, the door will be left to using the more sophisticated weapons in their armoury. open to anyone who wishes to do so, and Bonczoszek, Pierce and the rest of the team are present at a highly critical time. It is therefore vital that the unit gets full support from all those involved in this area in any way - especially from users and companies whose machines are hacked into or infected by a computer virus.

Because of the problems of proving an individual has written a virus and then deliberately spread it, some would doubt whether the unit can really help. When Bonczoszek is asked if the CCU can effectively do anything to fight the virus authors he smiles a wolf’s smile: ‘If we found out that the Dark Avenger was in Britain, of course we’d take action. And that’s a promise.’

The mood within the unit is surprisingly optimistic - rather than being cowed by the prospect of an avalanche of viruses, they simply plug holes as they appear. ‘We’ve got ’Ello, ’ello ’ello. From left to right: DC Chris Pierce, various things in the pipeline,’ says Bonczoszek mysteri- DS Steve Littler and DC Noel Bonczoszek. ously, ‘you can expect to see results in the future’

known to be at large. It also missed all the Mutation Engine SCANNER UPDATE infections and its false-positive identification of Anarkia in a text file provides an eye-opening insight to Xtree’s Mark Hamilton detection strategy. A better result than last year, but still woefully inadequate.

1993 Scanner Shoot-out Norton Antivirus Version 2.1 It is now six months since Virus Bulletin last pitted the ever-increasing number of virus scanners against the VB test-sets. This comparative review has proved to be the In The Wild 95.31% biggest ever, with 20 products tested. Standard 98.63% Enlarged 93.49% The essential criteria which all products should meet are: Mutation Engine 94.14%

➤Their ability to detect viruses known to be in the wild. Symantec’s Norton Antivirus proudly displays a sticker ➤Their ability to detect self-mutating strains. affixed to its packaging that proclaims ‘Detects 100% of all viruses in the NCSA Library’. I have no information as to ➤ Their concordance with each other. the precise contents of this library, but Norton Antivirus Any well maintained scanner should score 100% against the certainly does not detect all the viruses in the various test- ‘In The Wild’ test-set, as these are the viruses which it is sets used here. Its Mutation Engine detection algorithm likely to encounter. Another telling result is Mutation needs tightening, as it detected only 1,446 of the 1,536 Engine detection. Even though the Mutation Engine has samples. Although the product did not fare too badly in any been known about since last March (see VB, April 1992, of the test-sets, its results were not outstanding. Most p.11), many scanners fail to detect it. In that edition VB’s seriously, it missed viruses from the ‘In The Wild’ test-set. Technical Editor wrote: ‘Perhaps the appearance of the Mutation Engine should be considered a torture test for the R&D departments of all the anti-virus companies - if they Virex-PC Version 2.3 are not able to detect it in a couple of months they would be well advised to redirect their efforts to other pursuits.’ Far more than a couple of months have passed, and all scanners In The Wild 99.22% should get full marks. Standard 98.90% Enlarged 96.42% The ability of the different packages to co-exist is measured Mutation Engine 99.93% in the concordance test. This test is of particular interest to anyone who wishes to use more than one scanner, as much Virex-PC missed one virus, SBC, from the ‘In The Wild’ time could be lost due to false alarms. test set, but fared better in the Mutation Engine test-set, detecting all but one of the samples. However, Virex does Two products submitted failed very early on in the testing have a problem with the concordance test: AVScan detected process: the disks supplied with Fifth Generation’s Un- the signature for the 570 virus in this scanner, Sweep found touchable product were unreadable, and Leprechaun’s signatures for Filedate 11-537, VCL-3 and Ryazan and PC- Virus Buster insisted on aborting with run time errors. Eye reported an infection by USSR-1594.

Allsafe Version 4.1 Sweep Version 2.44

In The Wild 81.25% In The Wild 100% Standard 94.51% Standard 100% Enlarged 87.48% Enlarged 96.42% Mutation Engine 0% Mutation Engine 100%

Xtree’s Allsafe had file dates of June 1992, and it showed Another healthy result for Sophos’ Sweep. Its recently its age by performing poorly in all the virus detection tests. overhauled scanning engine has helped make this one of the Particularly worrying is its failure to detect several viruses faster products tested.

In The Wild Standard Enlarged Mutation Engine Overall Package 128 364 783 1,536 Performance

Allsafe 104 344 685 0 78.82

AVScan 128 364 771 1536 99.92

Central Point AV & 125 353 705 Failed to complete 92.33 CPAV-SOS

F-Prot 128 364 779 1536 99.97

HT-Scan 121 354 683 1446 94.72

Integrity Master 123 348 692 0 90.86

IBM AntiVirus 128 360 741 1536 99.62

McAfee Scan 128 360 751 1536 99.69

Norton Antivirus 122 359 732 1446 90.79

PC-Eye 126 361 732 0 93.34

Search & Destroy 125 356 735 1446 92.60

Sweep 128 364 755 1536 99.82

TBScan 126 358 715 1536 98.15

Toolkit (S&S) 128 362 776 1536 99.93

VI-Spy 128 363 763 115 94.85

Virex-PC 127 360 755 1535 94.09

Viruscure-Plus 103 296 505 0 75.74

VIS 127 364 782 137 94.37

Detection Results: The overall performance of each product is in the form of a percentage, where each of the test-sets is weighted according to their importance. The appropriate weightings are: In The Wild 80, Standard 10, Enlarged 5, Mutation Engine 5. The scores for the Mutation Engine detection are calculated on an all or nothing basis.

AVScan Version 0.98H HT-Scan Version 1.19

In The Wild 100% In The Wild 94.53% Standard 100% Standard 97.25% Enlarged 98.47% Enlarged 87.23% Mutation Engine 100% Mutation Engine 94.14%

AVScan is a freeware scanner by H+BEDV Datentechnik HT-Scan is now in its 19th release and needs to be able to Gmbh, a German software house. AVScan’s scanning detect more common viruses, as it failed to find Father, engine performed extremely well against all the test-sets, PcVrsDs, Spanz and SBC from the ‘In The Wild’ test-set. and was also one of the fastest scanners tested. AVScan is HT-Scan uses an external module to detect Mutation currently available on CompuServe where it can be Engine-encrypted viruses and this obviously needs further downloaded from the Virus Help forum. development - it missed 90 of the 1,536 infections.

Dr Solomon’s Anti-Virus Toolkit Version Integrity Master Version 1.13d 6.02 In The Wild 96.09% In The Wild 100% Standard 95.60% Standard 99.45% Enlarged 88.38% Enlarged 99.11% Mutation Engine 0% Mutation Engine 100% The failure to detect any samples of the Mutation Engine, Problems were encountered with the Windows version of coupled with its poor performance in the ‘In The Wild’ test- Doctor Solomon’s Anti-Virus Toolkit when it came to set make this a disappointing result for this product. detecting the Mutation Engine-encrypted samples. The first time I ran the test, the program reported that it had detected 1,474 files infected with viruses and that it had checked the same number of files. However, this test-set contains 1,536 IBM AntiVirus/Dos and IBM AntiVirus/2 infected files so I re-ran the test: again only 1,474 files Version 1.00 checked. On the third run, this figure improved by one to 1,475. In each case it detected all the files as being infected. In The Wild 100% The final run provided me with the somewhat confusing Standard 98.90% results of 1,927 files checked with 1,925 infected files Enlarged 94.64% found (out of a possible 1,536 files)! This bug aside, both Mutation Engine 100% the DOS and Windows Toolkit performed very well IBM AntiVirus is reviewed in this edition of VB (see p.18) so the reader is referred there for detailed information. Central Point Anti-Virus and CPAVSOS Version 1.4 PC-Eye Version 2.1 In The Wild 97.66% Standard 96.98% In The Wild 98.44% Enlarged 90.04% Standard 99.18% Mutation Engine Failed to complete Enlarged 93.49% Mutation Engine 0% Two offerings from Central Point Software were entered: its commercial anti-virus product (CPAV) and a new, free, PC-Eye performed tolerably well in the tests, even though it scanner-only version (CPAVSOS), which the company is missed one Whale and one of the Tequila infections in the distributing electronically. The principal difference between ‘In The Wild’ test set. Surprisingly, it is totally unable to the two is that CPAVSOS has no cure capabilities. In terms detect any Mutation Engine-encrypted code; it is to be of detection capabilities both versions fared the same, hoped that its author, PC Enhancements, develops and failing to detect the Father and Crazy Eddie viruses con- incorporates the necessary algorithms before viruses which tained in the ‘In The Wild’ test set. Central Point’s software use the Mutation Engine become commonplace. suffers from a bug which meant that it failed to complete the Mutation Engine test, hanging the PC [see p.21. Ed.]. McAfee Scan Version 99 F-Prot Version 2.06b In The Wild 100% Standard 98.90% In The Wild 100% Enlarged 95.91% Standard 100% Mutation Engine 100% Enlarged 99.49% Mutation Engine 100% McAfee Associates’ Scan has consistently scored well in VB comparative reviews. This time is no different, although the These excellent scores speak for themselves. results in the Standard test-set are a little disappointing.

Hard Drive Scan Hard Drive Scan Floppy Drive Scan Floppy Drive Scan Package "Turbo" Mode "Secure" Mode "Turbo" Mode "Secure" Mode

Allsafe 0:54 2:16 0:08 0:13

AVSearch 0:29 1:10 0:03 0:07

Central Point Anti-Virus 1:30 2:35 0:06 0:11

Central Point Not Applicable 2:35 Not Applicable 0:11 Anti-Virus-SOS

F-Prot 0:16 1:12 0:03 0:06

HT-Scan 0:52 1:59 0:08 0:41

Integrity Master 0:50 1:45 0:03 0:08

1:38 3:11 IBM AntiVirus 0:14 0:51 0:30 1:20

McAfee Scan 1:18 2:56 0:05 0:12

Norton AntiVirus 0:56 2:04 0:07 0:10

PC-Eye 0:20 0:59 0:04 0:44

Search & Destroy 0:36 1:29 0:08 0:11

Sweep 0:21 1:52 0:03 0:05

TBScan 0:18 1:06 0:03 0:50

Toolkit (S&S) 0:25 0:55 0:03 0:04

VI-Spy 0:39 4:00 0:03 0:38

Virex-PC 1:10 3:31 0:03 0:49

Viruscure-Plus 0:53 Not Applicable 0:09 Not Applicable

VIS 1:26 4:44 0:18 0:31

Speed tests: While detection is more important than speed it is interesting to note the wide variations in scanning speed. A high scanning speed does not necessarily mean poor detection - the most accurate scanner in the test, F-Prot, was one of the fastest. The two times shown for the IBM product are respectively for building its integrity database and scanning, and integrity checking only.

Search & Destroy Version 25.08 TBScan Version 5.02

In The Wild 97.66% In The Wild 98.44% Standard 97.80% Standard 98.35% Enlarged 93.87% Enlarged 91.32% Mutation Engine 94.14% Mutation Engine 100%

Search and Destroy is a new product which Fifth Genera- ESaSS, the Dutch company which writes TBScan, has tion launched just before the end of last year. Like Untouch- clearly spent a great deal of time improving its product’s able, Search and Destroy has been licensed from BRM. It user interface. It now sports a smart menu-driven front-end failed to detect Father and Penza from the ‘In The Wild’ program which makes it much easier to use. It missed two test-set and while it reported the Dir II infected file as viruses from the ‘In The Wild’ set - SBC and Spanz - but corrupted by a virus, the virus name itself was displayed as otherwise does reasonably well and is one of the faster garbage characters. products tested.

written in a high-level language and now features a Win- Viruscure-Plus Version 2.41 dows-like, DOS character-mode interface (a true Windows version is also supplied) has greatly impacted on its scanning speed: it is now the second slowest of all the In The Wild 80.47% scanners tested. PC-Eye reported that one of the VIS Standard 81.32% executable files was infected with the Not1491 virus. Enlarged 64.50% Mutation Engine 0% Observations IMSI’s Viruscure-Plus includes a customised version of Every product in this review should score 100% when McAfee Associates Pro-Scan and this has the unenviable tested against the ‘In The Wild’ test-set. It is also reason- position of being the worst performer of all those tested. It able to expect a good score against the standard test-set, as missed too high a proportion of those viruses known to be all these viruses have been known for at least a year. at large - these include Father, Spanz, Vienna 2B, Warrier, Old Yankee 2, Penza, Spanish Telecom 1 and Spanish Mutation Engine detection is equally important, and is very Telecom 2. It only found 81% of the infections in the much a case of all or nothing. If one sample is missed on an ‘Standard’ test set, 64% of those in the ‘Enlarged’ test set infected machine, the virus will simply continue its spread and none of the Mutation Engine-encrypted samples. The unabated. It is therefore unacceptable that some vendors, version tested was unable to read any of the boot sector- after many months of access to code, are still not achieving infected disks - the only product to fail this test. These reliable MtE detection. problems aside, AVScan detected the signature for the Slow virus in this scanner’s executable file. For many users, a scanner is the only line of defence against virus attack. If your scanner has performed badly, it is time to consider seriously just how well your PCs are protected. VI-Spy Version 10 The Test Sets In The Wild 100% 1. In The Wild Standard 99.73% Where appropriate one genuine COM and one EXE file infection Enlarged 97.45% of: 1575, 2100, 4K, 777, AntiCAD, Captain Trips, Cascade Mutation Engine 7.49% 1701, Cascade 1704, Dark Avenger, Dark Avenger, Dir II, Eddie 2, Father, Flip (20 COM and 20 EXE), Hallochen, Jerusalem, Keypress, Maltese Amoeba, Mystic, Nomenklatura, Nothing, Two things mar the performance of this product from RG PcVrsDs, Penza, SBC, Slow, Spanish Telecom 1 (5 COM), Software. First, it was only able to detect only 115 of the Spanish Telecom 2 (4 COM), Spanz, Syslock, Tequila (5 EXE), 1,536 Mutation Engine-encrypted files and, secondly, Vacsina, Vienna 2A, Vienna 2B, Virdem, W13-A, W13-B, AVScan detected the signature for Aircop within one of its Warrier, Warrior, Whale (11 COM), Old Yankee 1 and Old executable files. In spite of this, VI-Spy continues to be a Yankee 2. strong American contender. The following genuine boot sector infections: Aircop, Brain, Disk Killer, Form, Italian Generic A, Joshi, Korea A, Michelangelo, New Zealand 2, NoInt, Spanish Telecom, Tequila. 2. Mutation Engine VIS Anti-Virus Utilities Version 4.1 This test-set consists of 1,536 genuine infections of the Groove virus which uses Mutation Engine encryption.

In The Wild 99.22% 3. For details of the other test-sets used please refer to: Standard 100% [1] Standard Test-set: Virus Bulletin, May 1992 (p.23). Enlarged 99.87% [2] Enlarged Test-set: This unofficial test-set comprises 783 Mutation Engine 8.92% unique infections. Technical Details: A disappointing result in the ‘In The Wild’ test-set and All speed tests were conducted on an Apricot Qi-486/25. The Mutation Engine test-set for this usually faultless scanner. Hard drive speed tests were the time taken to scan a 30Mb Total Control has since informed VB that these problems partition containing 1,645 files (29,758,648 bytes) of which 421 are due to bugs in the software, which has just undergone a (16,153,402) were executable. The floppy disk used was a 720 major upgrade, and that the version sent was part of an Kbytes disk containing 7 files (675,454) of which 3 files (25,805) extended Beta test. The fact that the new version has been were executable.

its own Interrupt 13h handler, which intercepts all calls to VIRUS ANALYSIS 1 the BIOS disk services, before allowing the boot sequence to continue normally. Tim Twaits CMOS Modifications The CMOS1 Virus The CMOS battery backed RAM in an IBM compatible PC contains the non-volatile system configuration information. It is rare that a virus introduces a completely new idea - The CMOS1 virus modifies this information to indicate that most are simply adaptations of existing viruses with small there is no A: drive attached to the computer. This appears modifications or additions. The author of the CMOS1 virus, to be an attempt to force the PC to boot from the C: drive in however, seems to have managed to find a new approach. all circumstances, thus ensuring that the virus is always To the best of my knowledge it is the first virus which resident in memory. This in itself provides cause for modifies the non-volatile system configuration data in the concern, but more worryingly, it seems as though the author CMOS RAM in anything other than a destructive way: then intended the machine to reboot from the correct drive. hence the name CMOS1. If this strategy had been successful it would be impossible to achieve a clean boot and the virus would be very difficult In The Wild Origins to detect. Fortunately, the author has made a number of false assumptions which mean that the virus will never It was unusual to receive this virus from a user whose PC function as described on a truly IBM compatible machine. had been infected rather than from one of the many virus However, be warned - presumably it worked (at least to researchers and collectors. As such, it provides an insight some extent) on the virus author’s machine. into how a new virus is first detected and countered. The first suspicion of something amiss arose because of an error This virus fails in its attempt to prevent a clean boot, but it condition detected by the Windows 3.1 32-bit disk driver. It must be asked whether such a feat is feasible. The answer would have been easy to ignore the message, since Win- to this could have a large impact on the viability of current dows still ran successfully without using the 32-bit driver. virus detection procedures. Luckily somebody decided to investigate. Because of the variations between PC BIOSes, it would The first step taken was to attempt to scan the machine for appear that the boot sequence varies between machines. On known viruses. However, after performing a clean boot the machines on which I tested this virus, the Power On from a system diskette prior to running the virus scan, the Self Test routine detected the presence of a floppy disk hard drive could not be accessed. Armed with this knowl- drive regardless of the CMOS contents. This function edge of the symptoms, the investigator identified another appears to be reasonably standard, so this technique is infected machine. Both machines were immediately highly unlikely to be the basis of a successful virus. isolated and all associated diskettes quarantined. Infection At this point I received a copy of the virus. As soon as a The virus always infects drive 80h (normally drive C) recognition pattern had been extracted, a complete scan of immediately after booting from an infected diskette. Further all machines and disks was undertaken. In this case the diskettes are infected when their contents are read. Thus virus had been contained and no new infections were simply inserting a diskette and typing DIR A: will cause the discovered. The source of the infection was later traced to a diskette to become infected. When infecting a disk, the golf game which had recently arrived from Taiwan. This virus needs to keep a copy of the original boot sector so that game had also been sent to an office in South Africa, so the the boot sequence can be completed successfully after the virus may well have spread further afield. virus code is executed.

Operation On a hard disk the original MBS is stored in sector 17, cylinder 0, head 0. On a diskette an extra track (number 40 CMOS1 is primarily a master boot sector virus. When the or 80, depending on the disk size) is formatted at the end of computer is booted from an infected disk the virus gains the normal data area. Creating this extra track has the control. It creates a ‘hole’ in memory by decrementing a advantage that the storage capacity of the diskette is not data value in the ROM BIOS data area which contains the affected. However, not all systems can access this extra useable memory size. This has the direct effect of reducing track successfully, and this will cause some machines to the available DOS memory by 1K. The virus then installs hang when booting from an infected diskette.

Stealth These files are only produced when writing the EXE header to sector 3 on any cylinder in the range 512-767. The disk The virus intercepts all requests to read the master boot must contain a significant amount of data before this occurs. sector and returns the contents of the original sector to the caller. This effectively hides the virus from scanning software unless a clean boot is achieved. It also provides Removal the mechanism by which the virus invokes the original boot After performing a clean boot, one can detect the presence code at initialisation. The virus issues an INT 19h call to of the virus both in the boot sector and in any files by using restart the system once the intercept handler is installed. a simple search pattern. It is important to check data files as The system then starts normally since the bootstrap code well as executables, since they may have been corrupted. If will now load the original boot sector. the machine is one which can be prevented from booting from the A drive, it is possible to erase the CMOS contents All requests to write to the master boot sector are also by removing its battery. intercepted, allowing the write operation to complete but then immediately re-infecting the disk. The result is that one The virus can be removed from the Master Boot Sector on can run utilities which modify the boot sector, such as hard disks by copying the original contents which were FDISK, without displacing the virus. stored by the virus (sector 17, cylinder 0, head 0) back to the boot sector (sector 1, cylinder 0, head 0) using a disk The virus contains another feature, which could perhaps be editor such as The Norton Utilities. Alternatively, the described as stealth. As well as overwriting the code in the Master Boot Sector can be rewritten by using the master boot sector, the virus also overwrites the partition FDISK /MBR command or by performing a low-level table with invalid data. Thus when booting from a clean format. Be warned that because the virus corrupts the system diskette the hard drive cannot be accessed directly. partition data stored within the Master Boot Sector, using Although one cannot scan the drive to detect the virus, the the FDISK /MBR command will not recover the data stored absence of logical drive C betrays its presence. on the drive; it will simply overwrite the virus code.

Increased Contagion And Trigger In an attempt to make itself more contagious the virus will CMOS1 infect some EXE files written to drive A. The infection routine is primitive, as the file is simply overwritten by the Aliases: None known. virus. The program infects drive 80h immediately upon execution. This type of infection occurs whenever data Type: Resident semi multi-partite. starting with 4Dh (the EXE header identifier) is written to sector 3 on any cylinder of the diskette. This not only Infection: Master boot sector and EXE files. produces infected EXE files but will also corrupt any files which contain a sector starting with 4Dh. Recognition:

While the creation of infected program files will undoubt- System Hard drive not accessible after clean edly help the virus to spread, it also significantly reduces boot. Windows 3.1 32 bit disk driver will the chance that the virus will survive in the wild. Since the not load. Location 28h in Master Boot infected programs are overwritten with the virus code they Sector is 7Ch. no longer retain their original function, providing an Hex Pattern immediate signal that something has gone awry. While I do B0FF E621 BA80 00B9 0100 B811 not think that it is beyond the (limited) technical ability of 039C 9A?? ???? ??FE C680 E607 the virus author to devise a more sophisticated strategy, the code size has been restricted to less than 512 bytes, and Intercepts: Interrupt 13h for stealth (boot sector there is simply no room for a routine which would make only) and infection. this virus truly multi-partite. Trigger: Creates Trojanised EXE files when A proportion of EXE files written to fixed drives will be writing to certain areas of a disk. The similarly modified, although in this case the modified programs destroy disks. program has a more disastrous effect. It will overwrite the first track of the first fixed drive, effectively making all data Removal: See text. inaccessible. The data on any diskettes is also overwritten.

VIRUS ANALYSIS 2 Operation While resident, the virus intercepts only the DOS Load and Jim Bates Execute calls (function 4B00h) issued to the system. As with the rest of the virus code, the routine is primitive and makes only the most rudimentary checks on potential DOSHUNTER - Search And Destroy targets for infection. The first check ensures that the first letter of the target filename extension is ‘C’ - this excludes EXE and overlay files but could still cause problems on a People often ask me if I get bored constantly disassembling system where segmented executable code is used from files viruses and I must admit that there are times when I find it which match this criterion (*.COD or *.CEX for example). difficult to maintain the spark of interest. It is usually the simplest, most primitive viruses that provoke this ennui but The virus checks whether a file is already infected by the latest virus to arrive on my desk, in spite of being one of opening the file and reading the first 483 bytes into the simplest that I have recently examined, provided a memory. Then the word at offset 6 is tested for a value of refreshing change from the malicious intricacies of Starship 061Ah. If the target file is found to be infected, the file is and Commander Bomber. closed, the attributes and date/time stamp are repaired and the original system request is allowed to continue unmo- As reported in the End Notes and News of last month’s lested. If the file is not infected, a check is made to deter- Virus Bulletin, various alarms of a vicious new virus have mine that the size of the target file is above 483 bytes been received from the Netherlands recently and it proved (which is also the overall length of the virus code). difficult to determine precisely what the problems were. Finally, a specimen copy was sent to me for disassembly. The virus is named internally as DOSHUNTER and in spite ‘‘When the system date is 26th of the alarmist nature of the reports, analysis shows it to be nothing more than an extremely primitive overwriting virus. June, the trigger routine is invoked. However, the code does contain a destructive trigger routine that executes on a system date of June 26th (any year), This attempts to overwrite the first overwriting the data held on drive C. 128 sectors of drive C’’

Installation The virus begins by checking whether the system date is Once the suitability of the target file has been verified, the 26th June. If it is, processing is immediately transferred to virus copies the first 483 bytes of the program file and the trigger routine. On other dates processing continues by appends them to the end of the file. Then the complete virus moving the host file to a position beyond the end of the file code is written to the beginning of the file and the file in memory and repairing it. attributes and date/time stamp are restored to their original value, thereby concluding the infection process. Thus Next, an ‘Are you there?’ call is made by inserting a value infected files will be 483 bytes longer than they were and of C600h into the AX register and issuing a DOS INT 21h the virus code will be at the beginning of the file. function call. If the virus is resident in memory, this call returns with 07B7h in AX. There are some errors within the virus which will cause system malfunction. The main one involves the way that the It should be noted that this call may cause problems with virus attempts to avoid the DOS error reporting functions. some older Novell NetWare systems which use a similar The DOS error handler is disconnected during the infection subfunction request to set a compatibility mode. routine but is not reconnected properly afterwards. Thus the next error condition encountered is likely to send the If the ‘Are you there?’ call is answered, processing passes processor on a voyage to nowhere. This is probably how the to the host file. However if the virus is not already memory- virus came to be reported in such a garbled fashion. resident, the existing INT 21h vector is collected and stored within the virus data area. A new memory block at the top Terminate With Extreme Prejudice of memory is created by dividing the existing block into two and the virus code is moved into it. Finally, the virus’ When a system date of 26th June is detected, the trigger own INT 21h handler is hooked into the system and then routine is invoked. This attempts to overwrite the first 128 the host file is repaired in memory and executed. sectors of drive C with garbage. If successful, this will

destroy the vital system and file management areas of the disk and result in the loss of data. Recovery may be VIRUS ANALYSIS 3 possible in some instances but will be a long and expensive process. After the overwriting routine has completed, the Penza - Variations On A Familiar Theme virus displays the message: DOSHUNTER I ACTIVE. (C) ACORN. Reports have been received from users in the north of The significance of the June 26th date and the ‘(C) England of the Penza virus at large. This sample is another ACORN’ message are not immediately apparent. relatively primitive virus. It is 700 bytes long, and the code is stored in a non-encrypted form. Complete disassembly Removal took only a few minutes and it was immediately apparent that the writer has copied certain techniques from other As with all parasitic viruses, the best method of removal is viruses, notably the interrupt stripping (sometimes called to reboot the machine from a clean system floppy and then tunnelling) routines introduced some time ago by the replace all infected files with clean originals. It is possible Eastern European virus writers. to repair files by replacing the virus code with the last 483 bytes of the file and truncating the file length by 483 but The Penza virus infects any executable files (regardless of this is really a job for an expert and must be undertaken the file extension) which are between 513 and 65535 with care in a clean machine environment. Note that under (inclusive) bytes in length. The infection technique used certain circumstances, COMMAND.COM will become when the target file is segmented (the most common infected and this will invariably result in unpredictable example of this is a .EXE file) mirrors that used in some system behaviour. other early viruses: the file is made into a binary image type by overwriting part of the header and then appending a segment relocation routine. The overall change in length DOSHUNTER caused by this modification is 700 bytes. Installation When invoked, the virus code sends an ‘Are you there?’ Aliases: None known. call consisting of placing a value of FF00h in AX and issuing an INT 21h function request. If the virus is resident Type: Parasitic, overwriting virus. this returns with FF00h in the CX register. If the virus is Infection: *.C?? files greater than 483 bytes in already memory-resident, the host file memory image is length. repaired and control is passed to it. If this is not the case, processing passes into the installation routine within the Recognition: virus code. Files Word value of 061Ah at offset 6 in the file. The virus then creates a new memory control block at the System 0C00h value in AX and INT 21h returns top of conventional memory and copies the virus code into 07B7h in AX if virus is resident. it. The existing address of the DOS INT 21h service routine is collected and stored. Hex Pattern 3D00 4B74 0E3D 00C6 7405 2EFF Effective Stripping 2EDF 02B8 B707 CF06 531E 52B9 One of the more interesting parts of the virus is the way it Intercepts: INT 21h, function 4B00h for infection and locates the original DOS INT 21h vector. This technique, INT 24h for internal error handling. known as interrupt stripping or tunnelling allows direct access to the DOS INT 21h call. This is done by taking Trigger: Overwrites first 128 sectors of drive C: advantage of the single-stepping interrupt, INT 01h, which with garbage, uses INT 26h Absolute causes an INT 01h call to be made after every instruction. Disk Write. The virus simply installs a temporary INT 01h handler and issues an INT 21h request. Removal: Specific and generic disinfection is possible. Under clean system conditions, The resulting code is single stepped through, with control identify and replace infected files. returning to the virus’ INT 01h handler between each instruction. The virus continues this single stepping until it

detects that it is now executing the original DOS INT 21h Payload handler. The memory address of this handler is stored, and Although this virus does contain a trigger routine, the from this point on any DOS INT 21h calls are made directly conditions for its execution are quite rare, so few people are to the DOS INT 21h handler. likely to witness it under ordinary conditions. After the Once an acceptable address has been found, the INT 01 infection routine, the virus tests the last five bits of the routine disables itself by resetting the single step trap flag. system clock and if they are all zero, the trigger routine will No attempt is made to repair the INT 01 vector address. As be invoked. This condition happens once every 32 clock this is rarely used by ordinary software, it is unlikely to ticks of the clock, thus there is only a 1 in 32 chance of this cause noticeable problems except when attempting to run happening during infection. When it does happen, the software debuggers etc. Once the installation routine is following message is displayed: completed, processing is returned to the host file. Welcome to Penza! This is followed by a beep from the speaker. After this, Infection processing continues normally by loading and executing The virus intercepts requests for function 4B00h of the the target file. DOS services interrupt INT 21h and immediately installs a dummy error handler into the INT 24h vector position. This ensures that DOS will not report any spurious error messages to the screen. PENZA

Any restrictive attributes of the target file are then removed and the file is opened. The date and time stamp of the file is collected and stored and the file length is checked. If the Aliases: None known. length is between 513 and 64735 (inclusive) it is considered suitable for infection, otherwise the interrupt request is Type: Parasitic file infector (including allowed to continue. The last two bytes of the opened file COMMAND.COM under certain circum are then examined to see whether they are C7h and 07h stances). respectively. If so, the file is considered to be already infected and processing continues into DOS. Infection: Any executable files between 513 and 64735 bytes long. If the virus deems the file suitable for infection some attempt is made to determine the file type. If the file begins Recognition: with ‘MZ’ (indicating an EXE file), the virus inserts a jump Files 07B7h as the last word in the file. instruction to the byte beyond the end of the program (thus making it into a COM type file). The virus code is then System FF00h in AX returns the value FF00h in appended to the file before the relevant repairs are com- CX after INT 21h. pleted to the target file and processing is allowed to continue. Infected files show a size increase of 700 bytes. Hex Pattern

Thus EXE files will first execute the virus code and then CF32 C0CF 9C50 3500 4B75 03E8 jump to a segment relocation routine which will undertake 0E00 583D 00FF 7502 8BC8 9DEA the same relocation that DOS does when executing EXE Intercepts: type files. COM files execute the virus code and then jump INT 21h for infection, ‘Are you there?’ call and back to their own initial instruction. detection of trigger condition. INT 24h for internal error handling. Disinfection INT 01h to enable stripping of INT 21h. While it is possible to disinfect files by replacing the modified byte and truncating the file, this is quite involved Trigger: Displays message ‘Welcome to Penza!’ and might well be different if there are other similar strains of this virus around. Disinfection is really a job which Removal: Specific and generic disinfection is should be left to the experts, and then only as a last resort. It possible. Under clean system condi- is usually far safer to replace the infected file with an tions, identify and replace infected files. uninfected backup.

PRODUCT REVIEW 1

Mark Hamilton

IBM AntiVirus

When IBM announced the release of its new anti-virus package at a breathtaking price of $29.95 minor tremors were sent throughout the industry. The software is the result of five years’ research and development by IBM Research [For an interview with one of the authors of this package, see VB, December 1992, p.6. Ed.]. There are currently two versions available: IBM AntiVirus/DOS which contains both IBM AntiVirus attempts to combine the benefits of an integrity the DOS and Microsoft Windows versions of the product checker and a scanner in one easy to use package. and IBM AntiVirus/2 which has the OS/2-hosted version. Both versions are delivered on two 3.5-inch, double-density diskettes accompanied by a 38-page manual. Having selected the drive, the installation program copies I have tested both versions of the product and they perform the relevant selected portions to the hard disk. You are then identically in terms of their virus detection capabilities. asked whether you wish to have your AUTOEXEC.BAT However, there are some differences in their functionality, file updated. If you elect not to allow this, an example file is and where this occurs I will draw the necessary distinctions. created in the product’s home directory. The next step consists of making an initial check of your Installation files and constructing a database containing their integrity information. Before adding each file’s characteristics to the IBM’s previous anti-virus product, VirScan, consisted of a database, it is scanned for viruses and then the relevant scanning engine, a signature file and disk-based documenta- integrity information is extracted. tion. VirScan was a command line-driven program which provided a large number of configurable options set by using switches on the command line. User-friendly it was Automatic Detection not, but it got the job done. All this has changed - and IBM AntiVirus has been designed as an ‘install and forget’ changed radically - with IBM AntiVirus. product - once installed you may never need to run any of its programs manually. The product is configured to be run The installation process is simple and easy to follow. The automatically at boot time, and at the end of the installation installation program starts by checking its own integrity process the frequency of the checks is set. This can range before checking memory for known viruses. Once this from ‘Every Boot’, ‘Daily’, ‘Weekly’, ‘Monthly’ to ‘None’. process is complete the user can then set the various The OS/2 version provides a further option to enable the PC configuration options. to run the program at a particular time of day. IBM You are given the choice of installing just the DOS version AntiVirus added 30 seconds to the boot-time of my machine or the DOS and Windows versions (except for the OS/2 to check the 421 files it considered executable. version). Having made your choice, the installation program All the versions of IBM AntiVirus run as menu-driven, calculates the amount of disk space required, and displays mouse-aware full-screen applications but with a command this along with a list of all local fixed drives and their free line parameter that instructs the program to run without space. This is a nice touch - with so much software being human intervention. This ‘auto-pilot’ mode is automatically issued in compressed format, it is impossible to judge how disengaged if any virus-like activity is detected. much disk space it will require, and few users are aware of exactly how much space their hard drive has available. Another nice feature is that the programs are not too disk Boot Sector Oversight hungry - the DOS version requires approximately 720 If it can, AntiVirus always checks the Master Boot Sector kilobytes of disk space and the Windows version requires and the active Partition Boot Sector and here I noted a approximately twice this. weakness. The Apricot Qi-486/25 used for this review has

both MS-DOS and OS/2 installed, with the active Partition includes menu options for checking diskettes and other pointing to IBM Boot Manager. At boot-up time Boot drives. In this latter case, the configuration options are Manager displays a menu which allows me to choose stored separately from those pertaining to the automatic which operating system I want to use. tests. Therefore, for speed purposes, you could set up the automatic checking of just COM and EXE files at boot time While testing to see if the product is capable of checking and configure the manual checking for other file types. This the DOS boot sector even though it is not marked as active, could then be run overnight or during a lunch break. There I discovered that I could make changes to this sector with are also facilities to check single files. The package is impunity. IBM has since explained that the scanner does not highly configurable - right down to the warning message use heuristic analysis on boot sectors, as no successful which appears whenever it detects a problem. algorithm has been developed - this is still being worked on. However, it does successfully scan for known DOS boot If problems are detected, the program suggests undertaking sector viruses, regardless of the presence of Boot Manager. a full check of all available drives. This is a very wise precaution and is the default action.

Innovation Under OS/2 and Windows Enhanced Mode all the checking IBM AntiVirus is different from many of its competitors in can be performed in background. Under OS/2 the load was that it combines an integrity checking method with a significantly less than Windows, and the 30 seconds which scanner. Whenever AntiVirus/DOS is asked to check a drive the product added to the boot time of my system under DOS or set of files, it checks to see whether a database entry completely disappeared. exists for each file. If one does, the program examines the integrity ‘record’ of the file against its previously stored Scanner Accuracy entry. If they are identical, the next file is processed. If they do not - that is to say, the file has been modified in some In tests, IBM AntiVirus detected all the viruses in the Virus way - it is scanned for viruses and the file is classified Bulletin ‘In The Wild’ test set, missed four samples con- according to the results of the scan. tained in the ‘Standard’ test set and detected 94.5% of infections in the unofficial ‘Expanded’ test set. In the If any inconsistencies have been detected, the program ‘Polymorphic’ test-set it failed to detect any samples of the displays its ‘Results from check for viruses’ dialogue box V2P6 virus which dropped its performance to 66%. which contains three list boxes. If a file has been attacked A new test set has been introduced this month - the ‘MtE’ by a virus and that virus can be positively identified and a test set. This test-set is made up of 1,536 genuine infections cure exists within IBM AntiVirus, an entry appears under of the Groove virus, which uses Mutation Engine ‘Verified as infected’. The file name is listed together with encryption. This product successfully detected all 1,536 the virus and you can disinfect, erase or ignore all or any of infections, achieving an impressive 100%. these infections.

If a file has been attacked by a virus and it cannot be cured, then its details appear in a second list box entitled ‘Probably infected’. Files can either be erased or ignored.

If a file has changed but does not contain a known virus, IBM AntiVirus will attempt to determine, by heuristic analysis, whether the change was as a result of virus infection or by some other means. The results of this examination appear in the ‘Suspicious’ list box. Again, you can either ignore or delete files listed here.

The integrity database only contains entries for files that are completely clean and have not appeared in any of these list boxes - there is therefore no chance of a virus accidentally slipping through!

IBM’s ‘install and forget’ philosophy is quite acceptable Files fall into one of four categories: Infected, Probably Infected, Suspicious and Clean. This may come as a shock for those and does not ignore the fact that you might want to perform accustomed to the usual True/False scanner output. one-off checks of diskettes. To cover this, the program

In addition to these good test results it successfully flagged as ‘Suspicious’ those files I intentionally changed - regardless of the type of change or whether the change was in the IBM AntiV irus middle or at either end of the file. I also deleted its database and was gratified to discover that it assumed no database existed and therefore built one from scratch - by scanning Scanning Speed the files for viruses first and refusing to include any that Hard Disk: were in any way suspicious or, indeed, infected. All in all, its detection capabilities are highly creditable. Integrity Checking Only (Normal Operation) 30 secs (538.4 Kbytes/sec) Both the OS/2 and DOS versions provide a memory- resident detector which, IBM claims, can disinfect viruses Scanning and building database 1 min 38 secs in memory and warn if an infected program is run. If (170.0 Kbytes/sec) enabled under DOS 5, this occupies 640 bytes of conven- Floppy Disk: tional memory and the rest of the code is relocated into EMS. The OS/2 DOS shield is capable of protecting all Scanning and building database 14 secs Virtual DOS Machines. Scanner Accuracy It is worth pointing out that the integrity shield can only [1] detect viruses that are at large - it does not detect the vast VB Standard Test-set 360/364 98.90% majority of viruses which, so far, have not been circulated Expanded Test-set[2] 741/784 94.51% outside the virus writing and anti-virus communities. This is a double-edged sword because the user has no control over ‘In The Wild’ Test-set[3] 116/116 100.00% which viruses the shield is capable of detecting - a virus which is believed not to be in circulation one day may well ‘Polymorphic’ Test-set[4] 100/150 66.67% appear ‘in the wild’ the next. ‘MtE’ Test-set[5] 1536/1536 100.00% The rationale behind IBM’s thinking is that the main program can disinfect any viruses thrown up by the DOS Technical Details session shield. I would prefer it if the session shield could detect all viruses regardless of whether or not they are Product: IBM AntiVirus/DOS and IBM AntiVirus/2 known to be ‘in the wild’ - this is a far more secure strategy. Version: 1.00 Author: IBM AntiVirus Services, 1 East Kirkwood Boulevard, All versions have comprehensive context-sensitive on-line Roanoke, TX 76299-0015, USA help. This includes not only generalised help topics, but a Telephone: +1 (800) 551 3579 for a single copy. tutorial about viruses, and a large number of virus descrip- +1 (800) 742 2493 for site licenses and a full range of services. tions - especially those in the wild. +31 30 383816 (companies in the Netherlands). +45 93 45 45 ext 3341 (companies in Denmark). Fax: +1 (214) 235 9586 Conclusions Price: $29.95 each. This is an effective product that has been well thought-out; Test Hardware: All tests were conducted on an Apricot Qi486 it is also a product that is in continuous development and running at 25Mhz and equipped with 16MB RAM and 330MB IBM promises to include greater degrees of functionality hard drive. IBM AntiVirus was tested against the hard drive of this and security with each subsequent release. machine, containing 1,645 files (29,758,648 bytes) of which 421 were executable (16,153,402 bytes) and the average file size was 38,370 bytes. The floppy disk test was done on a disk containing Having read this, you might decide you want to buy a copy 7 files of which 3 (25,508 bytes) were executable. of AntiVirus/DOS or AntiVirus/2, or indeed both, particularly since they cost $29.95 each! For details of the test-sets used, please refer to:

[1] However, IBM has the policy is that it is up to each country Standard Test-set: Virus Bulletin - May 1992 (p.23). to decide if it wishes to stock an IBM product, and to date [2] This unofficial test-set comprises 784 unique infections. the product is only available in the US and Holland. It is to [3] In The Wild test-set: Virus Bulletin - January 1993 (p.12). be hoped that AntiVirus becomes widely available, as at the [4] Polymorphic test-set: Virus Bulletin - June 1992 (p.16). price it provides unbeatable value for money, and outper- [5] MtE test-set: Virus Bulletin - January 1993 (p.12). forms some products which cost many times as much.

PRODUCT REVIEW 2

Dr Keith Jackson

PC Tools 8

The subject of my review this month, PC Tools, is the latest in a long line of versions of this software package. For the record, I first wrote about PC Tools over five years ago (not for VB), and it has come on a long way since then - not least in the amount of disk space required by the software. The original PC Tools fitted on to a single floppy disk, Version For all its mammoth size, a great deal of attention to detail can be 8 comes on five compressed 1.44 Mbyte disks (3.5 inch, seen in the product. Here the software warns against a potentially permanently write-protected), and when installed occupies dangerous operation. over 8 Mbytes of hard disk space. PC Tools and The Norton Utilities compete for what is Component Parts effectively the same market, and they have no other serious The software provides a host of facilities in one integrated competition. Norton Anti-Virus was reviewed in the January package. Many versions ago, they were just individual 1991 edition of VB, and again in April 1992, but the ‘tools’ which had been bolted together, but since then the compete Norton Utilities (as opposed to just the anti-virus package has been given more cohesion, and has a compre- part) has never been reviewed by VB. hensive ‘desktop’ program which can be used to control just about anything. Doorstop Documentation A complete list of the available functionality is impossible In last month’s review I spent some time complaining about in this short review, but just including those features that the skimpiness of the documentation. PC Tools lies at the are relevant as far as dealing with viruses is concerned other extreme; it comes with two large bound volumes produces the following list - data recovery features, an comprising nearly 1500 pages of very thorough documenta- emergency disk that can be used when all else fails, security tion. It is well laid out, thoroughly indexed, and my only programs that can help monitor unwanted introduction of complaint is that one index refers to both volumes (using a files and aid in their removal, an anti-virus program which slightly different typeface for each), so that I continually can detect, remove and immunise, memory-resident looked things up in the wrong book. However if the programs that monitor for virus activity, a backup program, documentation had comprised 1500 pages in one enormous and a scheduler that lets PC Tools programs (or any doorstop of a book, I suppose that I would have complained program, for that matter) operate at regular timed intervals. even more. Bear in mind that this merely describes the facilities that are The first VB review of Central Point Anti-Virus stated that useful in fighting viruses, it ignores the notepad, outliner, the documentation was a ‘professionally produced work’, calculator, database, fax, electronic mail facilities etc that but somewhat ‘uninspiring’, the next review stated that it are also included. had improved to ‘very readable’, and with Version 8 I am Given the breadth of coverage provided, I will concentrate pleased to see that further development work has been put on the facilities available from the components of PC Tools in and the documentation has improved even more. All this which are relevant to anybody having to deal with effects is coupled with on-line help, so the developers deserve ten caused by computer viruses. These can range from detect- out of ten for documentation. ing virus infections on floppy and hard disks, to repairing damage to hard disks which exhibit one of the myriad Installation problems caused by viruses. Installing PC Tools proved to be very easy. The installation Central Point Anti-Virus (one component of PC Tools) was program firstly scanned memory for viruses, then detected reviewed by VB in June 1991, and looked at again as that I had a colour video monitor, and offered various recently as May 1992, but Version 8 of PC Tools is a major screen choices. The installation process can either be mouse upgrade which well deserves looking at in its entirety. driven or keyboard driven (as can all the PC Tools pro-

grams). A complete installation requires nearly 9 Mbytes of capable of scanning my hard disk in 33 seconds, searching hard disk space, but this can be reduced either by installing through 744 files occupying 10 Mbytes of disk space. For one of the preselected stripped down versions, or by using comparison purposes, Dr Solomon’s Anti-Virus Toolkit the custom installation option to decide for yourself which performed the same test in 14 seconds, and Sweep from components are required. A de-installation option is Sophos took 13 seconds in quick scan mode, and 53 proffered to the user but unfortunately this does not work seconds when doing a complete scan. too well. Although it removes the PC Tools executable programs, and other files in the same subdirectory, it leaves The accuracy of virus detection was quite good - PC Tools checksum files (.CPS) scattered throughout every directory detected all except four of the 215 virus samples listed in of the hard disk. the Technical Details section below (it missed Kamikaze, Rat and two copies of Amstrad). There were many in- The installation programs warns users not to install PC stances of wrong naming of viruses which went beyond the Tools while in the midst of trying to recover information nomenclature problems produced by many other scanner from a damaged hard disk - after all, installing new software programs, as it really does seem to detect the wrong virus can overwrite the very files that need to be retrieved. on occasions. Given the interlinked nature of many species Therefore even though most of the files are held in com- of virus this is neither too surprising nor too worrying. Very pressed form on the PC Tools floppy disks, the components impressively, all of the recently introduced test viruses were which are required to execute from floppy disk are stored in detected correctly, though rather curiously the omitted uncompressed form. They will therefore operate directly Amstrad virus samples were detected by previous versions from the floppy disk, albeit minus some of their features, of this program. such as on-line help. I tried to test the scanner against 1024 samples of the During installation an ‘Emergency Disk’ can be created (on Groove virus, which is encrypted using the Mutation a blank floppy disk) which contains the requisite MS-DOS Engine. This proved impossible, as the package consistently files to boot a computer, the DISKFIX program that is locked up while running this test, and would not produce a capable of repairing many disk problems, mouse drivers, report on file. After much effort I retrieved the unsaved file the MS-DOS program FDISK for use when a hard disk has from the disk (using PC Tools!), and discovered that it to be repartitioned, the PC Tools disk formatting program, detected 235 from the first 256 samples of the Mutation and the UNDELETE and UNFORMAT utilities. Engine (92%), and always locked up when exactly 255 viruses had been entered into the report. This is such a This is a comprehensive set of tools, although it should be ‘round number’ that it is almost certainly a software bug. noted that it takes up over a megabyte of disk space, and is About half of the Groove virus infections were not denoted therefore not much use on older PCs which have floppy by this name but were identified as simply ‘infected’ with disk drives with a smaller capacity. I was impressed that PC the Mutation Engine. Tools even took note that I use the Stacker compression utility and copied the requisite software across to the Emergency Disk.

Virus-Specific Detection As far as viruses are concerned with PC Tools, the main possibilities seem to be to detect whether a virus infection is present, remove any incidence of the infection, repair any damage caused to data stored on a disk (of any type), and restore files from backup if they are irretrievably damaged. I’ll consider each of these aspects below.

The Central Point Anti-Virus software incorporated within PC Tools is seemingly identical to that distributed as a stand-alone package. The reader should refer to the complete VB review of this package mentioned above for comprehensive details of the available facilities, which have not changed substantially. However, the test set of viruses One of the principal criticisms of Central Point Anti-Virus was used for these reviews has been extended in recent months, that it blindly recreated missing checksum files. This loophole has so I retested the virus detection capabilities. PC Tools was now been plugged.

Generic Detection would advise that virus infections are best cleared up using DOS, rather than having a layer of Windows software The last VB review of Central Point Anti-Virus complained insulate the user from direct access to the hardware. that although it claimed to monitor file integrity using a ‘checksum’, this did not seem to be calculated across the entire file. Indeed tests showed that there was no possibility Conclusions that the software was examining the entire file. The manual Complaints about this month’s product are few and far is still quite explicit on this point. It states that in each between. I do feel miffed at having to give up nearly 9 subdirectory there is ‘a database of statistics, about each Mbytes of precious disk space, but if vendors wish to cater executable file size, attributes, date, time and a checksum’. for all possibilities, then size inevitably becomes a problem. There is still no mention of a checksumming algorithm, Keeping programs small enough so that they can be which makes it hard to take such a system seriously. executed directly from a floppy disk is the real problem, as this is essential when dealing with viruses. PC Tools can Other available anti-virus facilities are immunisation only just do this, and already inherently assumes that a high against viruses (against which I have railed in the past, so I capacity floppy disk is available. will not repeat the arguments against this technique here), the capability of removing viruses from infected files The virus detection report really should not lock up so (which seemed to work well), and several memory-resident thoroughly that it does not leave behind an intact report file, utilities which attempt to detect virus activity during normal after all, an infected hard disk may well contain more than computer operation. 255 infected files. Leaving behind umpteen checksum files scattered in every subdirectory of a hard disk after PC Tools Disaster Recovery has been de-installed may well have been a design decision The mainstay of any anti-virus strategy should always be taken to facilitate software upgrades, but I found myself frequent, tested, backups. The backup facilities offered by becoming irritated at having to clear them all out manually. PC Tools are comprehensive to say the least, including data It is my firm belief that anyone who has to deal with virus compression, password protection, encryption (to varying outbreaks needs to purchase one or other of The Norton degrees of security), and on-the-fly virus detection. Back- Utilities or PC Tools, but I don’t think it really matters ups can be written to floppy disk, a network drive, and a which one is chosen. Personally I use Norton, but that is SCSI or a QIC tape drive. Various types of full or partial more a matter of history than logic, as I was introduced to backup can be taken, and in common with the anti-virus Peter Norton’s programs first. If I had come across PC features, backups can be organised by the scheduler Tools first then I may well have taken the inverse choice. If program on a timed basis. you don’t own a copy of at least one of them, then one day If the worst has happened and a virus has actually triggered, you’ll find out why you should. then other components of PC Tools come into their own, and provide comprehensive facilities to help ameliorate the Technical Details consequent problems. Files, subdirectories, disks, disk sector(s), the boot sector or the FAT can be manipulated by Product: PC Tools version 8 an experienced user. Indeed it is possible to do almost Developer: Central Point Software Inc., 15220 NW Greenbrier Parkway, #200/Beaverton, OR 97006, USA, Tel: +1 (503) 690- anything to a hard disk drive, though like all powerful tools 8080, BBS: +1 (503) 690-6650, and +44 (81) 569-3324. this must be used with due care and responsibility. Vendor(s): Available from most computer dealers. The COMMUTE program lets a user of one PC operate Availability: IBM PS/2, PC, XT, AT and most IBM compatible another PC either via a modem, across a network, or via a computers, with DOS v3.3 (or later), 512 Kbytes of RAM (640 Kbytes recommended), 1 floppy disk drive and 1 hard disk drive. serial line. Most (all?) of the available programs have an Express menu system and a Full menu system. The former Version evaluated: 8 provides simple execution facilities, and the latter lets Serial number: None visible execution be tailored for a particular type of use. One Price: £139 +VAT helpful feature is that the transfer from Express menus to Hardware used: (a) 33MHz 486 PC, with one 3.5 inch (1.44M) Full menus can be password protected, so an administrator floppy disk drive, one 5.25 inch (1.2M) floppy disk drive, and a 120 Mbyte hard disk, running under MS-DOS v5.0. (b) 4.77MHz can enforce a particular way of operation upon users. 8088, with one 3.5 inch (720K) floppy disk drive, two 5.25 inch (360K) floppy disk drives, and a 32 Mbyte hardcard, running Operation is possible either from DOS or from Windows, under MS-DOS v3.30. For details of the viruses used for testing and the installation program creates a Windows group with purposes see Virus Bulletin, December 1992, p.22. an icon for every feature offered by PC Tools. However, I

Problems have been reported by users of Norton Desktop for Windows, which result in damaged data. The product, which includes an anti-virus element, is reported to cause file corruption and system instability under certain conditions. (File corruption may, however, be repaired using PC Tools. See p.21.) For further information contact Symantec. Tel. 0628 592222. Datawatch has upgraded its anti-virus product, Virex-PC, to make it more NetWare and Windows aware. The product is now capable of sending virus alerts to Novell NetWare consoles. Tel. +1 (919) 490 1277. The NETSEC ’93 conference, Network Security in the Open Environment, will be held on June 21-23, 1993 at the Capital Hilton, Washington. For further information, contact the Computer Security Institute. Tel +1 (415) 905 2310. Graphnet Computers has been appointed as the sole UK agent for V-BUSTER, a product which will ‘detect and inactivate a total of 1494 named viruses, as well as virtually all unknown ones.’ The software, written by Looi Software of Penang, Malaysia, costs £99 + VAT. It has not been reviewed by Virus Bulletin, however, as it is only sold in copy-protected form. Tel. 0278 663680. An infamous hacker has been charged with stealing United States Air Force secrets. Kevin Poulsen, who was accused in the early 1980s in a landmark hacking case, faces between seven and ten years in prison if convicted. He has allegedly stolen classified information, including a list of USAF targets in a hypothetical war. The Dutch Police’s computer crime squad has reported a doubling in the number of cases it has to handle. In a nine month period in 1992 the unit recorded 67 cases, compared to 33 for the same times last year. Frans van Gulik, commander of the Hague squad, commented that open systems and networking were increasing the opportunities open to criminals. Gareth Hardy, a former computer manager, has admitted planting a logic bomb in his employers system, according to a report in Computer Weekly. Hardy was employed by Chilworth Communications in July 1990, and following a number of warnings handed in his notice on 2nd September 1991. After this, he installed a logic bomb which encrypted a number of vital files one month after he left the company. In court, Hardy admitted to unlawfully making modifications to computer material, contrary to section 3 of the Computer Misuse Act. He was sentenced to 140 hours community service, and ordered to pay £3000 compensation. ASP has announced that as from January 1st, it is to transfer all maintenance, marketing and other responsibility for all information protection products currently made and marketed by ASP to outside companies in which ASP has no commercial interest. This transfer has been done so that ASP cannot be accused of a conflict of interest in its new joint venture with Information Integrity. The new project, Protection Experts, aims to provide on-line technical advice on computer security issues - charged at $3 a minute (‘just putting you on hold sir...’). For free information contact ASP. Tel. +1 (412) 422 4134.

VIRUS BULLETIN

Subscription price for 1 year (12 issues) including first-class/airmail delivery:

UK £195, Europe £225, International £245 (US$395)

Editorial enquiries, subscription enquiries, orders and payments:

Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Abingdon, OX14 3YS, England

Tel (0235) 555139, International Tel (+44) 235 555139 Fax (0235) 559935, International Fax (+44) 235 559935

US subscriptions only:

June Jordan, Virus Bulletin, 590 Danbury Road, Ridgefield, CT 06877, USA

Tel 203 431 8720, Fax 203 431 8165

No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein.

This publication has been registered with the Copyright Clearance Centre Ltd. Consent is given for copying of articles for personal or internal use, or for personal use of specific clients. The consent is given on the condition that the copier pays through the Centre the per-copy fee stated in the code on each page.